Been reading this and, like the other folk,
am unsure as to why a generic user account / password combination must be used
in lieu of the passworded account that the user is attempting to change. But, be that is it may. I’ll take
it for granted that it is an unavoidable situation. Someone could conceivably use the generic
username/password combination to log directly into the domain on a Windows
2000/XP workstation. Once there, the chances that our nefarious guest will obtain
other valid account names and shares go way up! It could be argued that you’re
better off having the website accessible through enabled Anonymous Access (presumably
IIS is being used). You could configure the generic account and password
combination to be used through IIS Admin. At least it wouldn’t be
public knowledge. SSL would be highly advised! Richard From: [EMAIL PROTECTED]
[mailto:[EMAIL PROTECTED] On
Behalf Of AWS There's a proposal at my company for a self service password reset
website which uses a shared domain account. It's similar to a kiosk
configuration, but the intent is to publicize the account and password so
that it can be used from any users' pc when needed. They have an account-specific OU/GPO configuration which locks down the
typical stuff you would expect, but my position is that there are too many
unknown vectors for such an account to be abused. Since I don't dabble in the various black hat utils du jour, does
anyone have any thoughts on how a globally known domain account could be
hacked upon? Conversely, is there any way such an account could be effectively
locked down? Thanks, AW |
- Re: [ActiveDir] pw reset domain account Al Mulnick
- Re: [ActiveDir] pw reset domain account AWS
- RE: [ActiveDir] pw reset domain account Richard Kline
- RE: [ActiveDir] pw reset domain account Guy Teverovsky
- RE: [ActiveDir] pw reset domain account Dave Wade
- RE: [ActiveDir] pw reset domain account Jason_Centenni
- Re: [ActiveDir] pw reset domain account Phil Renouf